AW: Using a Kerberized application outside the Kerberos Realm

Florian Frankenberger ffrankenberger at
Tue Aug 22 03:18:29 EDT 2006

Thank you, Mike.

In my case, Alice isn't running in a domain at all. That's why I have to implement the check for authenticity on Alice's side in my own way. So what about the idea of having the service ticket encrypted with the symmetric key that only the KDC and Alice know? Doesn't this mean a kind of secure proof of authentcity to Alice if the ticket passed by Bob can be decrypted with the shared secret key?
Or is it simply impossible to get a service ticket for a service that doesn't exist in this or any other domain?

-----Ursprungliche Nachricht-----
Von: Michael B Allen [mailto:mba2000 at]
Gesendet: Montag, 21. August 2006 20:49
An: Florian Frankenberger
Cc: kerberos at
Betreff: Re: Using a Kerberized application outside the Kerberos Realm

On Mon, 21 Aug 2006 18:40:28 +0200
"Florian Frankenberger" <ffrankenberger at> wrote:

> My problem is that Alice is not in the domain in which the KDC is running. To be more precise, the KDC and the service Alice are set up in different network environments and thus do not know each other.
> Is it possible to create a kerberized service that is not part of the Kerberos realm? If yes, what do I have to do?

Alice and Bob have to be in the same realm or in separate realms that
have a trust established between them. Otherwise the is no basis for
establishing trust between Alice and Bob. Kerberos is a "thrid party
authentication system" so there needs to be someone both principals trust.

> I thought of sharing the symmetric service key between the KDC and Alice. To do so, I tried to create the service Alice with ktpass, give the so created encryption key to Alice and let Alice decrypt the service tickets, that will be delivered by Bobs later.
> Is this procedure possibly in theory? Does anyone know how to obtain the service ticket by using JAAS? I only managed to get the TGT.

If Bob requests a ticket for ALICESVC/ at AI-AG.DE then
even if Bob is bob at AI-AG.US he should have no problem looking up the
KDC for AI-AG.DE using DNS and getting a ticket per usual. But a trust
relationship would be required between AI-AG.DE and AI-AG.US.


Michael B Allen
PHP Active Directory SSO

More information about the Kerberos mailing list